A honeypot is a network device that the institution uses to attract attackers to a harmless and monitored area of the network.  Honeypots have three key advantages over network and host IDSs.  Since the honeypot's only function is to be attacked, any network traffic to or from the honeypot potentially signals an intrusion.  Monitoring that traffic is simpler than monitoring all traffic passing a network IDS. Honeypots also collect very little data, and all of that data is highly relevant.  Network IDSs gather vast amounts of traffic which must be analyzed, sometimes manually, to generate a complete picture of an attack.  Finally, unlike an IDS, a honeypot does not pass packets without inspection when under a heavy traffic load.

Honeypots have two key disadvantages.  First, they are ineffective unless they are attacked.  Consequently, organizations that use honeypots for detection usually make the honeypot look attractive to an attacker.  Attractiveness may be in the name of the device, its apparent capabilities, or in its connectivity.  Since honeypots are ineffective unless they are attacked, they are typically used to supplement other intrusion detection capabilities.

The second key disadvantage is that honeypots introduce the risk of being compromised without triggering an alarm, thereby becoming staging grounds for attacks on other devices.  The level of risk is dependent on the degree of monitoring, capabilities of the honeypot, and its connectivity.  For instance, a honeypot that is not rigorously monitored, that has excellent connectivity to the rest of the institution's network, and that has varied and easy-to-compromise services presents a high risk to the confidentiality, integrity, and availability of the institution's systems and data.  On the other hand, a honeypot that is rigorously monitored and whose sole capability is to log connections and issue bogus responses to the attacker, while signaling outside the system to the administrator, demonstrates much lower risk.